feat: graphql rate limiting directive

Author: NGPixel

CHANGELOG.md

@@ -10,6 +10,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - Added Page Delete functionality
 - Dev locale .yml files in `server/locales` are now loaded
 - Added SQLite dependencies in Docker image
+- Added rate limiting to login mutations
 
 ### Fixed
 - Fixed root admin refresh token fail

package.json

@@ -68,6 +68,7 @@
     "getos": "3.1.1",
     "graphql": "14.1.1",
     "graphql-list-fields": "2.0.2",
+    "graphql-rate-limit-directive": "0.1.0",
     "graphql-subscriptions": "1.0.0",
     "graphql-tools": "4.0.4",
     "highlight.js": "9.14.2",

server/graph/index.js

@@ -6,6 +6,7 @@ const autoload = require('auto-load')
 const PubSub = require('graphql-subscriptions').PubSub
 const { LEVEL, MESSAGE } = require('triple-beam')
 const Transport = require('winston-transport')
+const { createRateLimitTypeDef, createRateLimitDirective } = require('graphql-rate-limit-directive')
 
 /* global WIKI */
 
@@ -17,7 +18,7 @@ WIKI.GQLEmitter = new PubSub()
 
 // Schemas
 
-let typeDefs = []
+let typeDefs = [createRateLimitTypeDef()]
 let schemas = fs.readdirSync(path.join(WIKI.SERVERPATH, 'graph/schemas'))
 schemas.forEach(schema => {
   typeDefs.push(fs.readFileSync(path.join(WIKI.SERVERPATH, `graph/schemas/${schema}`), 'utf8'))
@@ -33,7 +34,12 @@ resolversObj.forEach(resolver => {
 
 // Directives
 
-let schemaDirectives = autoload(path.join(WIKI.SERVERPATH, 'graph/directives'))
+let schemaDirectives = {
+  ...autoload(path.join(WIKI.SERVERPATH, 'graph/directives')),
+  rateLimit: createRateLimitDirective({
+    keyGenerator: (directiveArgs, source, args, context, info) => `${context.req.ip}:${info.parentType}.${info.fieldName}`
+  })
+}
 
 // Live Trail Logger (admin)
 

server/graph/schemas/authentication.graphql

@@ -29,12 +29,12 @@ type AuthenticationMutation {
     username: String!
     password: String!
     strategy: String!
-  ): AuthenticationLoginResponse
+  ): AuthenticationLoginResponse @rateLimit(limit: 5, duration: 60)
 
   loginTFA(
     loginToken: String!
     securityCode: String!
-  ): DefaultResponse
+  ): DefaultResponse @rateLimit(limit: 5, duration: 60)
 
   register(
     email: String!

yarn.lock

@@ -5582,6 +5582,16 @@ [email protected]:
     loader-utils "^1.1.0"
     persistgraphql "^0.3.11"
 
+[email protected]:
+  version "0.1.0"
+  resolved "https://registry.yarnpkg.com/graphql-rate-limit-directive/-/graphql-rate-limit-directive-0.1.0.tgz#70888cd4fa84fcde731ffcb445fbc7a25fa5a790"
+  integrity sha512-mVZzuZUl6gmIHYaaMvO7YncHhW2R9B/6Tbr2Ka+kQT39KFIFTHh5+DTqUU4O/GxKcNfWO7Xm3dVF+dLcS+eF3g==
+  dependencies:
+    graphql "^14.0.2"
+    graphql-tag "^2.10.0"
+    graphql-tools "^4.0.0"
+    rate-limiter-flexible "^0.22.0"
+
 graphql-request@^1.5.0:
   version "1.8.2"
   resolved "https://registry.yarnpkg.com/graphql-request/-/graphql-request-1.8.2.tgz#398d10ae15c585676741bde3fc01d5ca948f8fbe"
@@ -5596,7 +5606,7 @@ [email protected], graphql-subscriptions@^1.0.0:
   dependencies:
     iterall "^1.2.1"
 
-graphql-tag@^2.0.0, graphql-tag@^2.10.1, graphql-tag@^2.4.2, graphql-tag@^2.9.2:
+graphql-tag@^2.0.0, graphql-tag@^2.10.0, graphql-tag@^2.10.1, graphql-tag@^2.4.2, graphql-tag@^2.9.2:
   version "2.10.1"
   resolved "https://registry.yarnpkg.com/graphql-tag/-/graphql-tag-2.10.1.tgz#10aa41f1cd8fae5373eaf11f1f67260a3cad5e02"
   integrity sha512-jApXqWBzNXQ8jYa/HLkZJaVw9jgwNqZkywa2zfFn16Iv1Zb7ELNHkJaXHR7Quvd5SIGsy6Ny7SUKATgnu05uEg==
@@ -5640,7 +5650,7 @@ [email protected]:
     svg-pan-zoom "^3.5.2"
     viz.js "2.0.0"
 
-[email protected]:
+[email protected], graphql@^14.0.2:
   version "14.1.1"
   resolved "https://registry.yarnpkg.com/graphql/-/graphql-14.1.1.tgz#d5d77df4b19ef41538d7215d1e7a28834619fac0"
   integrity sha512-C5zDzLqvfPAgTtP8AUPIt9keDabrdRAqSWjj2OPRKrKxI9Fb65I36s1uCs1UUBFnSWTdO7hyHi7z1ZbwKMKF6Q==
@@ -10589,6 +10599,11 @@ range-parser@^1.0.3, range-parser@~1.2.0:
   resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.0.tgz#f49be6b487894ddc40dcc94a322f611092e00d5e"
   integrity sha1-9JvmtIeJTdxA3MlKMi9hEJLgDV4=
 
+rate-limiter-flexible@^0.22.0:
+  version "0.22.4"
+  resolved "https://registry.yarnpkg.com/rate-limiter-flexible/-/rate-limiter-flexible-0.22.4.tgz#bdaee6968f527b9f8577163d7cca7a3620bb0d0f"
+  integrity sha512-DKGzgcB8JDLxnojhnhr62D+eqIHjIfXCOpdeHiE77TJves/qiLGHrZpqEpWZ3f3aNDnvA6YB4FrM3/zorETrMw==
+
 [email protected]:
   version "2.6.4"
   resolved "https://registry.yarnpkg.com/raven/-/raven-2.6.4.tgz#458d4a380c8fbb59e0150c655625aaf60c167ea3"